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* Security Researcher for Blackwing Intelligence (formerly Praetorian 
Global) 



* We're always looking for cool security projects 



* Member of Digital Revelation 

# 2-time CTF Champs - Defcon 9 & 10 



* Not an NFC or RFID expert! 
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* Radio Frequency Identification - RFID 

* Broad range of frequencies: low kHz to super high GHz 



* Near Field Communication - NFC 

13.56 MHz 

* Payment cards 

* Library systems 

* e-Passports 

* Smart cards 
* Standard range: ~3 - 10 cm 



* RFID Tag 

* Transceiver 

* Antenna 

* Chip (processor) or memory 
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it RFID (tag) in credit cards 

* Visa - PayWave 

* MasterCard - PayPass 

* American Express - ExpressPay 

* Discover - Zip 




express ■■■■■ m iffVfi 




— 



* Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal / 
Reader 
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* EMV (Europay, Mastercard, and VISA) standard for communication 
between chipped credit cards and POS terminals 

* Four "books" long 

* Based on ISO 14443 and ISO 7816 

* Communicate with Application Protocol Data Units (APDUs) 
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* Why create NFCProxy? 

* I'm lazy 

* Don't like to read specs 

* Didn't want to learn protocol (from reading specs) 

* Future releases should work with other standards (diff protocols) 

* Make it easier to analyze protocols 

* Make it easier for other people to get involved 



* Contribute to reasons why this standard should be fixed 



Adam Laurie (Major Malfunction) 

★ RFIDIOt 

* http: / / rfidiot.org 



Pablos Holman 

+ Skimming RFID credit cards with ebay reader 

* http : / / www.youtube . com / watch?v= vmailKJrT.qU 

3ric Johanson 

* Pwnpass 

* http: / /www.rfidunplugged.com/pwnpass/ 
Kristen Paget 

it Cloning RFID credit cards to mag strip 

if http://www.shmoocon.org/2012/presentations/Paget shmoocon20i2-credit- 
cards.pdf 

Tag reading apps 



BLACKWINGINTELLIGENCE 



* 






0) 
CD 



* Contactless Credit card reader (e.g. VivoPay, Verifone) 

* ~$ 150 (retail) 

* -$10 - $30 (ebay) 



* Card reader 

* OmniKey (-$50-90 ebay), ACG, etc. 

* Proxmark ($230-$400) 



* Mag stripe encoder ($200-$30o) 
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What is NFCProxy? 

* An open source Android app 

* A tool that makes it easier to start messing with NFC/RFID 

* Protocol analyzer 

Hardware required 

* Two NFC capable Android phones for full feature set 

* Nexus S (~$6o - $90 ebay) 

* LG Optimus Elite (~$130 new. Contract free) 

* No custom ROMs yet 

* Galaxy Nexus, Galaxy S3, etc. f http: / /www.nfcworld.com/nfc-phones-list/ ) 



Software required 

* One phone 

* Android 2.3+ (Gingerbread) 

* Tested 2.3.7 and ICS 

* At least one phone needs: 

* Cyanogen 9 nightly build from: Jan 20 - Feb 24 2012 

* Or Custom build of Cyanogen 
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github 



Signup and Pricing Explore GitHub Features Blog Sign in 



public |M CyanogenMod / android_frameworks_base of watch 717 p Fork 

forked from Kelly MaharVandroidJramffworks base 





Code 




Network 


Pull Requests 24 


Graphs 
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branch: ics 


[ I Files 


Co mm its 


Branches 12 




Tags s Downloads 



History for android_frameworks_base / core / java / android / nfc / tech / IsoPcdAJava 



Feb 25, 2012 




Revert back to the public a pi/c urrent.txt and properly @hide the new ... ... j 

koush authored 4 months ago 



7B39cbaei4 + 
Browse code ■ 



Jan 20, 2012 






Added NFC Reader support for two new tag types: ISO PCD type A and IS... 

doug yeager authored 6 months ago 


■ ■ ■ 




Browse coda 
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android_frameworks_base (Java API) 

* https://github.com/CyanogenMod/android frameworks base/commit/ 
c8oci^bed^b.^edfib6iebf;4^e^ifobQoeddcdadf 



android_external_libnfc-nxp (native library) 

* https://github.com/CyanogenMod/android external libnfc-nxp/ 
commit/^4fi^Q82C2e78di770eQ8b4ed6if446beebQ.^d88 



android_packages_apps_Nfc (Nfc.apk - NFC Service) 

* https://github.com/CyanogenMod/android packages apps 
commit/d4iedfd7Q4d4dofeddQidf;6iii4^o8fodf;f8^878 



Nfc/ 



* NFC Reader code disabled because it interferes with Google Wallet 

* https://github.com/CyanogenMod/android packages apps Nfc/ 
commit/7f;ad8sbo6Q^scfe2ccsf;6eaifef;ccbQbs44676QS 
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Host 



Antenna 



Secure 
Element 
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* Proxy transactions 

* Save transactions 

* Export transactions 

* Tag replay (on Cyanogen side) 

* PCD replay 

* Don't need to know the correct APDUs for a real transactions 

* Use the tool to learn about the protocol (APDUs) 
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Relay Mode 
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Relay Mode 

* Opens port and waits for connection from proxy 

* Place Relay on card/tag 



Proxy Mode 

* Swipe across reader 

* Forwards APDUs from reader to card 

* Transactions displayed on screen 

* Long Clicking allows you to Save, Export, Replay, or Delete 
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it Replay Reader (Skimming mode*) 

* Put phone near credit card 

* Nothing special going on here 

* Know the right APDUs 



* Replay Card (Spending mode) 

* Swipe phone across reader 

* Phone needs to be able to detect reader - Card Emulation mode 

* Requires CyanogenMod tweaks 

* Virtual wallet 



BLACKWINGINTELLIGENCE 



* 

> 



CD 



CO 



it A word about android NFC antennas 

* Galaxy Nexus: CRAP! 

* Nexus S: Good 

* Optimus Elite: Good 



* NFC communication is often incomplete 

* Need to reengage/re-swipe the phone with a card/reader 

★ Check the "Status" tab in NFCProxy 
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★ EMVBook3 

* http:/ /www.emvco. com/download agreement.aspx?id=6f;4 






* See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming 
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* Proxy not needed for skimming and spending 

* Just for protocol analysis 
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A 12:16 


NFCProxy 


DATA 


STATUS 


SAVED 
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it Let's see it in action! 
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★ What's next? 



Generic framework that works with multiple technologies 

* Requires better reader detection 
Pluggable modules 

* MITM 

* Protocol Fuzzing 
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it Now available for download and contribution 
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* http: / / sourceforge.net/projects/nfcproxy/ 
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it Questions? 



* Contact: eddie{at}blackwinghq.com 



